Securing login pages
I meant to blog about this last week, but I was sick and never got around to it. There was a great conversation I was following about Should login pages be protected by SSL?
Lots of good points on both sides. I definitely favor secure login pages for financial, purchasing sites, etc. that's a no-brainer. I'm not sure about general purpose sites, though.
The case that bothers me is logging on over an insecure wi-fi hotspot. For me, I have several levels of passwords of increasing complexity and varying rotation schedules:
- simple disposable accounts when checking out a site, "qwerty"-style password for an account that I probably will never come back to
- sites where I'm not very concerned about the data (bloglines, my yahoo)
- message boards, email password
- bank, paypal, credit card sites
- webserver shell, database, etc.
- government work
So, if someone sniffs my msgboard password from an unsecured login page, it won't likely cause problems with my bank account. But I have the feeling that some people, like my parents, have a common password for most of their sites.
So, is it a disservice to leave a login page non-https for your users, even if you're not handling sensitive data? (aside from the password)
I've been debating whether or not to secure the login page for Gefilter Fish, so I checked out what the trend currently is with hip websites:
http://del.icio.us/login - doesn't appear to use ssl
http://www.flickr.com/login.gne - doesn't appear to use ssl
http://www.blogger.com/start - doesn't appear to use ssl
http://www.bloglines.com/login - doesn't appear to use ssl
http://www.furl.net/index.jsp - doesn't appear to use ssl
http://123.backpackit.com/login - doesn't appear to use ssl
http://360.yahoo.com - MODE: Standard | Secure option
Hmm, not many sites seem to bother securing a login page anymore. Am I missing something? Is there a better, Web 2.0 method of accomplishing this nowadays that I don't know about? Or have people come to the conclusion that it doesn't really matter for non-critical websites?
Posted on Thu, 30 Jun 2005 15:15 by Seni Sangrujee (2188 day(s) old)